Online service providers often rely on user names and passwords for authenticating users of their online services. The drawback of a simple user name/password scheme is that once a user's credentials have been compromised, an attacker can utilize these credentials to log into the user's account(s) from any location anywhere in the world using any device. Providers of critical online services, such as online banking, might impose additional authentication means or steps for added security. For example, the online service provider may require complex passwords and/or ensure that passwords are changed frequently.
Additionally or alternatively, the online service provider may send a one-time code to another device of the user, such as a mobile phone via short message service (“SMS”) text message, or provide a security token that provides a code that is valid in a specific time window in which the user must enter the code in addition to the user name and password to log into the service. However, these schemes may still be susceptible to man-in-the-middle attacks where the one-time code is stolen in addition to the user name and password and relayed to the attacker in real time, facilitating the attacker to log into the online service within that time window.